Strengths and Weaknesses of Near Field Communication (NFC) Technology
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Global Journal of Computer Science and Technology
Volume 11 Issue 3 Version 1.0 March 2011
Type: Double Blind Peer Reviewed International Research Journal
Publisher: Global Journals Inc. (USA)
Online ISSN: 0975-4172 & Print ISSN: 0975-4350
Strengths and Weaknesses of Near Field Communication (NFC)
Technology
By Mohamed Mostafa Abd Allah
Minia University
About- This paper gives a comprehensive analysis of security with respect to NFC. We propose a
protocol that can be used between an RFID tag and a reader to exchange a secret without
performing any expensive computation. The paper introduced an NFC specific key agreement
mechanism, which provides cheap and fast secure key agreement. Key agreement techniques
without authentication can be used to provide a standard secure channel. This resistance against
Man-in-the-Middle attacks makes NFC an ideal method for secure pairing of devices. The paper
lists some of threats, which are applicable to NFC, and describes solutions to protect against these
threats.
Keywords: Near Field Communication, threats, key agreement.
Classification: GJCST Classification: E.3, E.4, C.2.0
Strengths and Weaknesses of Near Field Communication NFC Technology
Strictly as per the compliance and regulations of:
© 2011 Mohamed Mostafa Abd Allah. This is a research/review paper, distributed under the terms of the Creative Commons
Attribution-Noncommercial 3.0 Unported License http://creativecommons.org/licenses/by-nc/3.0/), permitting all non-commercial use,
distribution, and reproduction inany medium, provided the original work is properly cited.
Strengths and Weaknesses of Near Field
Communication (NFC) Technology
March 2011
Mohamed Mostafa Abd Allah
About- This paper gives a comprehensive analysis of security When the user wants to perform a payment or use the
with respect to NFC. We propose a protocol that can be used stored ticket, the user presents the device to a reader,
between an RFID tag and a reader to exchange a secret which checks the received information and processes 51
without performing any expensive computation. The paper the payment or accepts/rejects the ticket. In this
introduced an NFC specific key agreement mechanism, which
application example the user device must be able to
provides cheap and fast secure key agreement. Key
perform a certain protocol with the reader. A simple read
Volume XI Issue III Version I
agreement techniques without authentication can be used to
provide a standard secure channel. This resistance against operation will not be sufficient in most cases. Also, the
Man-in-the-Middle attacks makes NFC an ideal method for se- user device is likely to have a second interface which is
cure pairing of devices. The paper lists some of threats, which used to load money or to buy tickets. This second
are applicable to NFC, and describes solutions to protect interface can for example be linked to the mobile phone
against these threats. CPU. The ticket data could then be loaded into the
Keywords: Near Field Communication, threats, key mobile phone via the cellular network. Because NFC is a
agreement. wireless communication interface it is obvious that threat
is an important issue. When two devices communicate
I. Introduction via NFC they use RF waves to talk to each other. An
N
ear Field Communication (NFC) is a technology attacker can of course use an antenna to also receive
for high frequency wireless short-distance point- the transmitted signals. Either by experimenting or by
to-point communication. The operational range literature research the attacker can have the required
Global Journal of Computer Science and Technology
for NFC is within less than 20 cm which is good from a knowledge on how to extract the transmitted data out of
security perspective as it diminishes the threat of the received RF signal. Also the equipment required to
eavesdropping. Other reasons to use NFC are the low receive the RF signal as well as the equipment to
cost of the necessary components and that the decode the RF signal must be assumed to be available
connecting time is negligible. It is small circuit attached to an attacker as there is no special equipment
to a small antenna, capable of transmitting data to a necessary. In this paper we use a systematic approach
distance of several meters to a reader device (reader) in to analyze the various aspects of security whenever an
response to a query. Most RFID tags are passive, NFC interface is used. We want to clear up many
meaning that they are battery-less, and obtain their misconceptions about security and NFC in various
power from the query signal. They are already attached applications. The paper lists the threats, which are
to almost anything: clothing, foods, access cards and so applicable to NFC, and describes solutions to protect
on. It is impossible to give a complete picture of NFC against these threats. The rest of this paper is organized
applications as NFC is just an interface. Contactless as follows. A brief description about NFC operation
Token covers most of applications, which use NFC to modes are given in Section (2). A list of threats
retrieve some data from a passive token. The passive technique is discussed in Section (3). Real solution
token could be a contactless Smart Card, an RFID label, against these threats and establishes a secure channel
or a key fob. In Ticketing / Micro Payment application is presented in Section (4). Finally, concluding remarks
example, the NFC interface is used to transfer some are made in Section (5).
valuable information. The ticket or the micro payment
data is stored in a secure device. This could be a
contactless Smart Card, but could as well be a mobile
phone.
About- Minia University, Faculty of Engineering, Department of
Electrical, Communications and Electronics section, Egypt Royal
Commission, Yanbu Industrial Collage, Department of Electrical and
Electronics, KSA
E-mail: mmustafa@yic.edu.sa
Figure1– Typical communication procedure
©2011 Global Journals Inc. (US)
Strengths and Weaknesses of Near Field Communication NFC Technology
RF signal is not zero, but it is about 82% of the level of a
non paused signal. This difference in the modulation
strength is very important from a security point of view
as we will describe later on in the security analysis.
March 2011
In passive mode the data is sent using a weak
load modulation. The data is always encoded using
a) Manchester code Manchester coding with a modulation of 10%. For 106
kBaud a subcarrier frequency is used for the modulation,
for baudrates greater than 106 kBaud the base RF signal
at 13.56 MHz is modulated.
Additionally to the active and passive mode,
52 there are two different roles a device can play in NFC
communication. NFC is based on a message and reply
Figure.2 (b) Modified Miller code concept. This means one device A sends a message to
II. NFC Operation Modes another device B and device B sends back a reply. It is
Volume XI Issue III Version I
not possible for device B to send any data to device A
NFC can operate in two modes. The modes are without first receiving some message from device A, to
distinguished whether a device creates its own RF field which it could reply. The role of the device A which starts
or whether a device retrieves the power from the RF field the data exchange is called initiator, the role of the other
generated by another device. If the device generates its device is called target. Furthermore it should be
own field and has a power supply, it is called an active mentioned that NFC communication is not limited to a
device; otherwise it is called a passive device. When two pair of two devices. In fact one initiator device can talk to
devices communicate three different configurations are multiple target devices. In this case all target devices are
possible (Active-Active, Active-Passive, and Passive- enabled at the same time, but before sending a
Active). These configurations are important because the message, the initiator device must select a receiving
way data is transmitted depends on whether the device. The message must then be ignored by all non
transmitting device is in active or passive mode. selected target devices. Only the selected target device
Global Journal of Computer Science and Technology
In active mode the data is sent using amplitude is allowed to answer to the received data. Therefore, it is
shift keying (ASK) [1],[2]. This means the base RF signal not possible to send data to more than one device at the
(13,56 MHz) is modulated with the data according to a same time (i.e. broadcasting messages are not
coding scheme. If the baudrate is 106 kBaud, the coding possible).
scheme is the so-called modified Miller coding. If the Typical communication procedure between the initiator
baudrate is greater than 106 kBaud the Manchester and target can be highlighted as shown in figure 1.
coding scheme is applied. As shown in figure 2, each Handshake:
single data bit in both coding schemes is sent in a fixed The interrogator sends a command to start
time slot. This time slot is divided into two halves, called communication with transponder in the
half bits. In Miller coding a zero is encoded with a pause interrogator field and also to power it (passive
in the first half bit and no pause in the second half bit. A transponders).
one is encoded with no pause in the first bit, but a pause Once the tag has received sufficient energy and
in the second half bit. In the modified Miller coding some command from the reader, it reply’s with its ID
additional rules are applied on the coding of zeros. In for acknowledgment.
the case of a one followed by a zero, two subsequent The reader now knows which tag is in the field
half bits would have a pause. Modified Miller coding and sends a command to the identified tag for
avoids this by encoding a zero, which directly follows a instructions either for processing (read or write)
one with two half bits with no pause. or Sleep.
In the Manchester coding the situation is nearly Data exchange:
the same, but instead of having a pause in the first or If the tag receives processing and reading
second half bit, the whole half bit is either a pause or commands, it transmits a specified block data
modulated. and waits for the next command.
Besides the coding scheme also the strength of If the tag receives processing and writing
the modulation depends on the baudrate. For 106 commands along with block data, it writes the
kBaud 100% modulation is used. This means that in a block data into the specified memory block, and
pause the RF signal is actually zero. No RF signal is sent transmits the written block data for verification.
in a pause. For baudrates greater than 106 kBaud 10%
modulation ratio is used. According to the definition of
this modulation ratio [1], this means that in a pause the
©2011 Global Journals Inc. (US)Strengths and Weaknesses of Near Field Communication NFC Technology
III. NFC Applications Threats • Setup of the location where the attack is
performed (e.g. barriers like walls or metal,
Although contactless token systems may noise floor level)
emerge as one of the most pervasive computing Furthermore, eavesdropping is extremely
technologies, there are still a vast number of problems affected by the communication mode. That’s because,
March 2011
that need to be solved before their massive deployment. based on the active or passive mode, the transferred
One of the fundamental issues still to be addressed is data is coded and modulated differently. If data is
privacy. Products labeled with tags reveal sensitive transferred with stronger modulation it can be attacked
information when queried by readers, and they do it easier. Thus, a passive device, which does not generate
indiscriminately. its own RF field, is much harder to attack, than an active
A problem closely related to privacy is tracking, device.
or violations of location privacy. This is possible because Therefore any exact number given would only 53
the answers provided by tags are usually predictable: in be valid for a certain set of the above given parameters
fact, most of the times, tags provide always the same and cannot be used to derive general security
identifier, which will allow a third party to easily establish guidelines.
an association between a given tag and its holder or
Volume XI Issue III Version I
Avoiding eavesdropping can be done by
owner. Even in the case in which tags try not to reveal establishing a secure channel as outlined in section 4.1.
any kind of valuable information that could be used to This requires the establishment of a session secret key,
identify themselves or their holder, there are many which is not always an easy task considering the very
situations where, by using an assembly of tags limited devices’ capacities.
(constellation), this tracking will still be possible.
Although the two aforementioned problems are the most 2) Data Modification Threats
important security questions that arise from NFC As shown in figure 3, instead of just listening, an
technology, there are some others worth to mention: attacker can also try to modify the data which is
1) Eavesdropping Threats transmitted via the NFC interface. In the simplest case
the attacker just wants to disturb the communication
In this type of attacks, unintended recipients are such that the receiver is not able to understand the data
able to intercept and read messages.
Global Journal of Computer Science and Technology
sent by the other device.
The NFC communication is usually done In data modification, the attacker wants the
between two devices in close proximity. This means they receiving device to actually receive some valid, but
are not more than 10 cm (typically less) away from each manipulated data. This is very different from just data
other. The main question is how close an attacker needs corruption.
to be to be able to retrieve a usable RF signal. The feasibility of this attack highly depends on
Unfortunately, there is no correct answer to this the applied strength of the amplitude modulation. This is
question. The reason for that is the huge number of because the decoding of the signal is different for 100%
parameters which determine the distance depends on in modified Miller coding modulation and 10% in
the following parameters, Manchester coding modulation.
• RF filed characteristic of the given sender In 100% modulation the decoder checks the two
device (i.e. antenna geometry, shielding effect half bits for RF signal on (no pause) or RF signal off
of the case, the PCB, the environment) (pause). In order to make the decoder understand a one
• Characteristic of the attacker’s antenna (i.e. as a zero or vice versa, the attacker must do two things.
antenna geometry, possibility to change the First, a pause in the modulation must be filled up with
position in all 3 dimensions) the carrier frequency. This is feasible. But, secondly, the
• Quality of the attacker’s receiver attacker must generate a pause of the RF signal, which
• Quality of the attacker’s RF signal decoder is received by the legitimate receiver. This means the
Power sent out by the NFC device attacker must send out some RF signal such that this
signal perfectly overlaps with the original signal at the
receiver’s antenna to give a zero signal at the receiver.
This is practically impossible. However, due to the
modified Miller coding in the case of two subsequent
ones, the attacker can change the second one into a
zero, by filling the pause, which encodes the second
one. The decoder would then see no pause in the
second bit and would decode this as a correct zero,
because a one precedes it. In 100% modulation an
attacker can therefore never change a bit of value 0 to a
Figure 3 Eavesdropping and Data Modification Threats bit of value 1, but an attacker can change a bit of value 1
©2011 Global Journals Inc. (US)Strengths and Weaknesses of Near Field Communication NFC Technology
to a bit of value 0, in case this bit is preceded by a bit of the same time. It is practically impossible to perfectly
value 1 (i.e. with a probability of 0.5). In 10% modulation align these two RF fields. Thus, it is practically
the decoder measures both signal levels (82% and Full) impossible for Bob to understand data sent by Eve.
and compares them. In case they are in the correct Because of this and the possibility of Alice to detect the
March 2011
range the signal is valid and gets decoded. An attacker attack much earlier we conclude that in this setup a
could try to add a signal to the 82% signal, such that the Man-in-the-Middle attacks is practically impossible.
82% signal appears as the Full signal and the actual Full The only other possible setup is that Alice uses
signal becomes the 82% signal. This way the decode active mode and Bob uses active mode, too. In this case
would decode a valid bit of the opposite value of the bit Alice sends some data to Bob. Eve can list and Eve
sent by the correct sender. Whether the attack is feasible again must disturb the transmission of Alice to make
depends a lot on the dynamic input range of the sure that Bob does not receive the data. At this point
54 receiver. It is very likely that the much higher signal level Alice could already detect the disturbance done by Eve
of the modified signal would exceed the possible input and stop the protocol. Again, let us assume that Alice
range, but for certain situations this cannot be ruled out does not do this check and the protocol continues. In
completely. The conclusion is that for the modified Miller the next step Eve would need to send data to Bob. At
Volume XI Issue III Version I
encoding with 100% ASK this attack is feasible for first sight this looks better now, because of the active-
certain bits and impossible for other bits, but for active communication Alice has turned off the RF field.
Manchester coding with 10% ASK this attack is feasible Now Eve turns on the RF field and can send the data.
on all bits. The problem here now is that also Alice is listening as
Protection against data modification can be she is expecting an answer from Bob. Instead she will
achieved in various ways. By using 106k Baud in active receive the data sent by Eve and can again detect a
mode it gets impossible for an attacker to modify all the problem in the protocol and stop the protocol. It is
data transmitted via the RF link as described above. This impossible in this setup for Eve to send data either to
means that for both directions active mode would be Alice or Bob and making sure that this data is not
needed to protect against data modification. While this is received by Bob or Alice, respectively.
possible, this has the major drawback, that this mode is We claim that due to the above given reasons it
most vulnerable to eavesdropping. In addition, the is practically infeasible to mount a Man-in-the-Middle
Global Journal of Computer Science and Technology
protection against modification is not perfect, as even at attack in a real-world scenario. It is practically impossible
106k Baud some bits can be modified. The two other to do a Man-in-the-Middle-Attack on an NFC link.
protection options might therefore be preferred. NFC Therefore, setup a secure channel with an active-passive
devices can check the RF field while sending. This communication mode as outlined in section 4.1 can be
means the sending device could continuously check for used to improve privacy and prevent tracking against
such an attack and could stop the data transmission Man-in-the-Middle-Attacks Additionally, the active party
when an attack is detected. The third and probably best should listen to the RF filed while sending data to be
solution would be a secure channel as described in sec- able to detect any disturbances caused by a potential
tion 4.1. attacker.
3) Man-in-the-Middle Threats IV. Solutions and Recommendations
In Man-in-the-Middle Attack, two parties want to In this section we present the best solutions
talk to each other, called Alice and Bob, are tricked into proposed so far to solve the security problems and
a three party conversation by an attacker Eve. This is threats associated with the use of NFC systems. Our
shown in Figure 3. Assuming that Alice uses active objective is not to give a detailed explanation of each
mode and Bob would be in passive mode, we have the solution, but to provide the fundamental principles and a
following situation. Alice generates the RF field and critical review of every proposal.
sends data to Bob. In case Eve is close enough, she
can eavesdrop the data sent by Alice. Additionally she
must actively disturb the transmission of Alice to make
sure that Bob doesn’t receive the data. This is possible
for Eve, but this can also be detected by Alice. In case
Alice detects the disturbance, Alice can stop the key
agreement protocol. Let’s assume Alice does not check
for active disturbance and so the protocol can continue.
In the next step Eve needs to send data to Bob. That’s
already a problem, because the RF field generated by
Alice is still there, so Eve has to generate a second RF
field. This however, causes two RF fields to be active at
©2011 Global Journals Inc. (US)Strengths and Weaknesses of Near Field Communication NFC Technology
March 2011
55
Figure4 NFC specific Key Agreement
Figure5- Total signal seen on RF Field
Volume XI Issue III Version I
Most of classical solution approach protecting amplitudes and phases. While sending random bits of 0
the privacy of NFC communication is done by isolating or 1, each device also listens to the RF field. When both
them from any kind of electromagnetic waves. This can devices send a zero, the sum signal is zero and an
be made using what is known as a Faraday Cage (FC), attacker, who is listening, would know that both devices
a container made of metal mesh or foil that is sent a zero. This does not help. The same thing
impenetrable by radio signals (of certain frequencies). happens when both, A and B, send a one. The sum is
There are currently a number of companies that sell this the double RF signal and an attacker knows that both
type of solution [13]. Other solution is active jamming devices sent a one. It gets interesting once A sends a
approach that disturbing the radio channel, RF signals. zero and B sends a one or vice versa. In this case both
This disturbance may be done with a device that actively devices know what the other device has sent, because
broadcasts radio signals, so as to completely disrupt the the devices know what they themselves have sent.
radio channel, thus preventing the normal operation of However, an attacker only sees the sum RF signal and
Global Journal of Computer Science and Technology
RFID readers. he cannot figure out which device sent the zero and
1) Secure Channel for NFC which device sent the one. This idea is illustrated in
Figure 4.
Establishing a secure channel between two NFC In figure 5, the top figure shows the signals
devices is clearly the best approach to protect against produced by A and by B. A sends the four bits: 0, 0, 1,
eavesdropping, data modification attack, and enhance and 1. B sends the four bits: 0, 1, 0, and 1. The lower
the inherent protection of NFC against Man-in-the- graph shows the sum signal as seen by an attacker. It
Middle-Attacks. A standard key agreement protocol like shows that for the bit combinations (A sends 0, B sends
Diffie-Hellmann based on RSA [4] or Elliptic Curves 1) and (A sends 1, B sends 0) the result for the attacker
could be applied to establish a shared secret between is absolutely the same and the attacker cannot
two devices. The shared secret can then be used to distinguish these two cases. The two devices now
derive a symmetric key like 3DES or AES, which is then discard all bits, where both devices sent the same value
used for the secure channel providing confidentiality, and collect all bits, where the two devices sent different
integrity, and authenticity of the transmitted data. Various values. They can either collect the bits sent by A or by B.
modes of operation for 3DES and AES could be used for This must be agreed on start-up, but it doesn’t matter.
such a secure channel and can be found in literature [3]. This way A and B can agree on an arbitrary long shared
2) Proposed NFC Key Agreement secret. A new bit is generated with a probability of 50%.
Thus, the generation of a 128 bit shared secret would
The proposed NFC specific key agreement need approximately 256 bits to be transferred. At a baud
does not require any asymmetric cryptography and rate of 106 k Baud this takes about 2.4 ms, and is
therefore reduces the computational requirements therefore fast enough for all applications. The security of
significantly. The scheme works with 100% ASK only this protocol in practice depends on the quality of the
where, both devices say Device A and Device B, send synchronization which is achieved between the two
random data at the same time. In a setup phase the two devices. Obviously, if an eavesdropper can distinguish
devices synchronize on the exact timing of the bits and data sent by A from data sent by B, the protocol is
also on the amplitudes and phases of the RF signal. This broken. The data must match in amplitude and in phase.
is possible as devices can send and receive at the same Once the differences between A and B are significantly
time. After that synchronization, A and B are able to below the noise level received by the eavesdropper the
send at exactly the same time with exactly the same protocol is secure. The level of security therefore also
©2011 Global Journals Inc. (US)Strengths and Weaknesses of Near Field Communication NFC Technology
depends on the signal quality at the receiver. The signal 8. Juels and R. Pappu. Squealing euros. (2003).
quality however again depends on many parameters Privacy protection in RFID-enabled banknotes.
(e.g. distance) of the eavesdropper. In practice the two In FC'03, volume 2742 of LNCS, IFCA, Springer-
devices A and B must aim at perfect synchronization. Verlag. pages 103-121.
March 2011
This can only be achieved if at least one of A or B is an 9. Juels, R. Rivest, and M. Szydlo. (2003). The
active device to perform this synchronization. blocker tag: Selective blocking of RFID tags for
consumer privacy. In ACM CCS'03 ACM, ACM
V. Conclusion Press, pages 103-111.
We presented typical use cases for NFC 10. Juels and S. Weis. (2005). Authenticating
interfaces. A list of threats has been derived and pervasive devices with human protocols. In
addressed. NFC by itself cannot provide protection CRYPTO'05, IACR, Springer-Verlag. volume
56 against eavesdropping or data modifications. The only 3126 of LNCS, pages 293-308.
solution to achieve this is the establishment of a secure 11. M. Jung, H. Fiedler, and R. Lerch. (2005). 8-bit
channel over NFC. This can be done very easily, microcontroller system with area efficient AES
because the NFC link is not susceptible to the Man-in- coprocessor for transponder applications.
Volume XI Issue III Version I
the-Middle attack. Therefore, well known and easy to Ecrypt Workshop on RFID and Lightweight
apply key agreement techniques without authentication Crypto.
can be used to provide a standard secure channel. This 12. S. Kinoshita, F. Hoshino, T. Komuro, A.
resistance against Man-in-the-Middle attacks makes Fujimura, and M. Ohkubo. (2004). Low-cost
NFC an ideal method for secure pairing of devices. RFID privacy protection scheme. In IPS Journal
Additionally, we introduced an NFC specific key 45, 8, pages 2007-2021.
agreement mechanism, which provides cheap and fast 13. S.M. Lee, Y.J. Hwang, D.H. Lee, and J.I.L. Lim.
secure key agreement. (2005). efficient authentication for low-cost RFID
systems. In Proc. of ICCSA'05, volume 3480 of
References Références Referencias LNCS, Verlag, pages 619-627.
1. C. Castelluccia and G. Avoine, (2006). Noisy
Global Journal of Computer Science and Technology
Tags: A Pretty Good Key Exchange Protocol for
RFID Tags, Proceedings of CARDIS, LNCS
3928, 289-299.
2. E.Y. Choi, S.M. Lee, and D.H. Lee.
(2005).Efficient RFID authentication protocol for
ubiquitous computing environment. In Proc. of
SECUBIQ'05, LNCS.
3. T. Dimitriou. (2005). A lightweight RFID protocol
to protect against traceability and cloning
attacks. In Proc. of SECURECOMM'05.
4. M. Feldhofer, S. Dominikus, and J.
Wolkerstorfer. (2004). Strong authentication for
RFID systems using the AES algorithm. In Proc.
of CHES'04, volume 3156 of LNCS,
5. P. Golle, M. Jakobsson, A. Juels, and P.
Syverson. (2004).Universal re-encryption for
mixnets. In CT-RSA'04, Springer-Verlag, volume
2964 of LNCS, pages 163-178.
6. D. Henrici and P. MÄuller. (2004). Hash-based
enhancement of location privacy for
radiofrequency identi¯cation devices using
varying identifiers. In PERSEC'04, IEEE
Computer Society, pages 149-153.
A. Juels. (2004). Minimalist cryptography for low-
cost RFID tags. In SCN'04, Springer-Verlag
volume 3352 of LNCS, pages 149-164.
7. Juels and J. Brainard. (2004). Soft blocking:
Flexible blocker tags on the cheap. In WPES'04,
ACM, ACM Press. pages 1-7.
©2011 Global Journals Inc. (US)You can also read
